[pedigree]

Ive been really busy this week but Ill see if I can send it tomorrow - to the "donate hardware" address?

[Sash]

contact them first for instructions

[mr_jackie]

Is there anyone who can run of Edge OS correctly in Qemu? Is it possible under Windows Qemu?

[pedigree]

If i could figure out a way of extracting it or even extracting the firmware, I would try..

[stephenw10]

Hi,
Did you get any further with this? It's possible to access Redboot as this guy has done it:
https://forum.openwrt.org/viewtopic.php?id=14106
Shame he doesn't say how.

I notice that the first thing in your bootlog is '+'. This is normally generated by Redboot to indicate that the system has been power cycled. It maybe that Redboot has just been set to boot silently or something similar. Is there a delay between the '+' and the kernel booting? If so try Ctrl-C to access Redboot.

Steve

[Sash]

can someone with an openwrt account ask him how he did access redboot, plz.

[stephenw10]

I pm'ed him when I first read the post (some time ago) and received no reply. I'll try again.
A quick bit of googling shows two interstings things:
he's on myspace and checked it yesterday.
http://www.myspace.com/djkrztoff
he works or did work at watchguard.

[stephenw10]

It's probably worth noting here for anyone searching that the X10, X20 and X55 are identical hardware. They were available with or without wireless. I suspect, but can't confirm, that you could add the mini-pci card for wireless but you'd have to drill the case for the antennas. See:
http://watchguard.info/docs/corporate/wg_edge-eDe-MFR_instructions.pdf

[Sash]

indeed theres share the same hw cause u can buy sw licences to upgrade our unit to the next model.
i bought a x10 2 weeks ago but it hasnt arrived yet.

[stephenw10]

Any news on this box yet?

Steve

[stephenw10]

So I got hold of a box myself (99p from Ebay!) it didn't have a power supply but I had several suitable ones to hand, 12V 1.2A center positive.

So far I can replicate the experiences of 'pedigree' above. You have to hold the reset button while powering on to see the boot up on the rear serial connector (115200 bps).

As I suspected you can press Ctrl-C when the '+' appears to get Redboot access however it seems to be password locked.

Steve

[stephenw10]

Just an update.
After reading TFM I have restored my Edge to working order which is fun to play with but not any closer to replacing the firmware.
Some things that might save someone some time.
The default IP of the Watchguard firmware is 192.168.111.1.

I have failed to connect to Redboot via telnet so far.

The device can be reset to factory defaults by holding down the reset button when powering up. I'm uncertain how long it must be held but I think no more than 10 seconds because...
When you boot with the reset button pressed Redboot will boot a backup partition that then resets the main partition and config. If it is successful then the orange LED (marked 'Attn') will light. Only the backup partition has console output on the rear serial port.
The 'Mode' LED indicates a successful connection to WAN1, it will flash while trying to connect.

Internally the device has a surface mounted switch marked 'ON' or '1'. Default is ON. When I first received my box it was totally hosed, only the power led. Only after I moved the switch was I able to recover it. It appears to connect/disconnect a backup battery.

There are several internal headers. Haven't explored them yet. (second serial port? USB?)

I have tried guessing the Redboot password based on the default password for other manufacturers with no luck. Given that I don't even know how many characters it is and this box is supposed to be a security appliance I think I'm wasting my time!

Any suggestions or is it JTAG time?

Steve

[stephenw10]

The white plastic 4 pin header, JP1, at the front of the board, next to the mini-pci socket, is the second serial port. It's 3.3V so you'll need a converter.
The pinout is:
1: 3.3V
2: Rx
3: Tx
4: GND

On this port you get the full boot up sequence as well as system messages from the normal boot partition.
No console access though.

Steve

[stephenw10]

I have confirmed that the switch on the PCB enables/disables the backup battery. Default is enabled. With it enabled going throught the factory reset procedure will restore the firmware but not your settings (local IP, admin logon etc...). Resetting with the switch off trully resets everything.
The box, unusually, has two flash types. Perhaps the 1MB NOR is battery backed?
Update: Nope doesn't seem likely. The actual chip is non volatile flash and it seems to remeber configuration changes across a reboot with the switch in either position.

Without using JTAG I am at a dead end.
My current attack angle is to try and get a root shell by expoiting a bug in the stock interface and then use the mtd command to write the flash.
However it seems that Watchguard haven't left any bugs for me to exploit!

Suggestions?

Steve

[stephenw10]

Some interesting new information.
I successfully downgraded my box to 8.0.3. In order to do this you must have either a valid 'livesecurity' or not connect the box to the internet until after the firmware change.
Upon first boot I got: